NIST SP 500-292 NIST Cloud Computing Reference Architecture
2. Cloud Computing Reference Architecture: An Overview
2.1 The Conceptual Reference Model
Figure 1 presents an overview of the NIST cloud computing reference architecture, which identifies the
major actors, their activities and functions in cloud computing. The diagram depicts a generic high-level
architecture and is intended to facilitate the understanding of the requirements, uses, characteristics and
standards of cloud computing.
Figure 1: The Conceptual Reference Model
As shown in Figure 1, the NIST cloud computing reference architecture defines five major actors: cloud
consumer, cloud provider, cloud carrier, cloud auditor and cloud broker. Each actor is an entity (a person
or an organization) that participates in a transaction or process and/or performs tasks in cloud computing.
Table 1 briefly lists the actors defined in the NIST cloud computing reference architecture. The general
activities of the actors are discussed in the remainder of this section, while the details of the architectural
elements are discussed in Section 3.
Figure 2 illustrates the interactions among the actors. A cloud consumer may request cloud services from
a cloud provider directly or via a cloud broker. A cloud auditor conducts independent audits and may
contact the others to collect necessary information. The details will be discussed in the following sections
and presented in increasing level of details in successive diagrams.
3
�NIST SP 500-292 NIST Cloud Computing Reference Architecture
Actor Definition
Cloud Consumer A person or organization that maintains a business relationship with, and
uses service from, Cloud Providers.
Cloud Provider A person, organization, or entity responsible for making a service
available to interested parties.
Cloud Auditor A party that can conduct independent assessment of cloud services,
information system operations, performance and security of the cloud
implementation.
Cloud Broker An entity that manages the use, performance and delivery of cloud
services, and negotiates relationships between Cloud Providers and
Cloud Consumers.
Cloud Carrier An intermediary that provides connectivity and transport of cloud
services from Cloud Providers to Cloud Consumers.
Table 1: Actors in Cloud Computing
Figure 2: Interactions between the Actors in Cloud Computing
Example Usage Scenario 1: A cloud consumer may request service from a cloud broker instead
of contacting a cloud provider directly. The cloud broker may create a new service by combining
multiple services or by enhancing an existing service. In this example, the actual cloud providers
are invisible to the cloud consumer and the cloud consumer interacts directly with the cloud
broker.
Figure 3: Usage Scenario for Cloud Brokers
4
� NIST SP 500-292 NIST Cloud Computing Reference Architecture
Example Usage Scenario 2: Cloud carriers provide the connectivity and transport of cloud
services from cloud providers to cloud consumers. As illustrated in Figure 4, a cloud provider
participates in and arranges for two unique service level agreements (SLAs), one with a cloud
carrier (e.g. SLA2) and one with a cloud consumer (e.g. SLA1). A cloud provider arranges
service level agreements (SLAs) with a cloud carrier and may request dedicated and encrypted
connections to ensure the cloud services are consumed at a consistent level according to the
contractual obligations with the cloud consumers. In this case, the provider may specify its
requirements on capability, flexibility and functionality in SLA2 in order to provide essential
requirements in SLA1.
Figure 4: Usage Scenario for Cloud Carriers
Example Usage Scenario 3: For a cloud service, a cloud auditor conducts independent
assessments of the operation and security of the cloud service implementation. The audit may
involve interactions with both the Cloud Consumer and the Cloud Provider.
Figure 5: Usage Scenario for Cloud Auditors
2.2 Cloud Consumer
The cloud consumer is the principal stakeholder for the cloud computing service. A cloud consumer
represents a person or organization that maintains a business relationship with, and uses the service from
a cloud provider. A cloud consumer browses the service catalog from a cloud provider, requests the
appropriate service, sets up service contracts with the cloud provider, and uses the service. The cloud
consumer may be billed for the service provisioned, and needs to arrange payments accordingly.
Cloud consumers need SLAs to specify the technical performance requirements fulfilled by a cloud
provider. SLAs can cover terms regarding the quality of service, security, remedies for performance
failures. A cloud provider may also list in the SLAs a set of promises explicitly not made to consumers,
i.e. limitations, and obligations that cloud consumers must accept. A cloud consumer can freely choose a
cloud provider with better pricing and more favorable terms. Typically a cloud provider
and SLAs are non-negotiable, unless the customer expects heavy usage and might be able to negotiate for
better contracts. [2].
Depending on the services requested, the activities and usage scenarios can be different among cloud
consumers. Figure 6 presents some example cloud services available to a cloud consumer (For details, see
Appendix B: Examples of Cloud Services) [13].
5
� NIST SP 500-292 NIST Cloud Computing Reference Architecture
Figure 6: Example Services Available to a Cloud Consumer
SaaS applications in the cloud and made accessible via a network to the SaaS consumers. The consumers
of SaaS can be organizations that provide their members with access to software applications, end users
who directly use software applications, or software application administrators who configure applications
for end users. SaaS consumers can be billed based on the number of end users, the time of use, the
network bandwidth consumed, the amount of data stored or duration of stored data.
Cloud consumers of PaaS can employ the tools and execution resources provided by cloud providers to
develop, test, deploy and manage the applications hosted in a cloud environment. PaaS consumers can be
application developers who design and implement application software, application testers who run and
test applications in cloud-based environments, application deployers who publish applications into the
cloud, and application administrators who configure and monitor application performance on a platform.
PaaS consumers can be billed according to, processing, database storage and network resources consumed
by the PaaS application, and the duration of the platform usage.
Consumers of IaaS have access to virtual computers, network-accessible storage, network infrastructure
components, and other fundamental computing resources on which they can deploy and run arbitrary
software. The consumers of IaaS can be system developers, system administrators and IT managers who
are interested in creating, installing, managing and monitoring services for IT infrastructure operations.
IaaS consumers are provisioned with the capabilities to access these computing resources, and are billed
according to the amount or duration of the resources consumed, such as CPU hours used by virtual
computers, volume and duration of data stored, network bandwidth consumed, number of IP addresses
used for certain intervals..
6
� NIST SP 500-292 NIST Cloud Computing Reference Architecture
2.3 Cloud Provider
A cloud provider is a person, an organization; it is the entity responsible for making a service available to
interested parties. A Cloud Provider acquires and manages the computing infrastructure required for
providing the services, runs the cloud software that provides the services, and makes arrangement to
deliver the cloud services to the Cloud Consumers through network access.
For Software as a Service, the cloud provider deploys, configures, maintains and updates the operation of
the software applications on a cloud infrastructure so that the services are provisioned at the expected
service levels to cloud consumers. The provider of SaaS assumes most of the responsibilities in managing
and controlling the applications and the infrastructure, while the cloud consumers have limited
administrative control of the applications.
For PaaS, the Cloud Provider manages the computing infrastructure for the platform and runs the cloud
software that provides the components of the platform, such as runtime software execution stack,
databases, and other middleware components. The PaaS Cloud Provider typically also supports the
development, deployment and management process of the PaaS Cloud Consumer by providing tools such
as integrated development environments (IDEs), development version of cloud software, software
development kits (SDKs), deployment and management tools. The PaaS Cloud Consumer has control
over the applications and possibly some the hosting environment settings, but has no or limited access to
the infrastructure underlying the platform such as network, servers, operating systems (OS), or storage.
For IaaS, the Cloud Provider acquires the physical computing resources underlying the service, including
the servers, networks, storage and hosting infrastructure. The Cloud Provider runs the cloud software
necessary to makes computing resources available to the IaaS Cloud Consumer through a set of service
interfaces and computing resource abstractions, such as virtual machines and virtual network interfaces.
The IaaS Cloud Consumer in turn uses these computing resources, such as a virtual computer, for their
fundamental computing needs Compared to SaaS and PaaS Cloud Consumers, an IaaS Cloud Consumer
has access to more fundamental forms of computing resources and thus has more control over the more
software components in an application stack, including the OS and network. The IaaS Cloud Provider, on
the other hand, has control over the physical hardware and cloud software that makes the provisioning of
these infrastructure services possible, for example, the physical servers, network equipments, storage
devices, host OS and hypervisors for virtualization.
A Cloud in Figure 7, a cloud provider
conducts its activities in the areas of service deployment, service orchestration, cloud service
management, security, and privacy. The details are discussed in Section 3.
Figure 7: Cloud Provider - Major Activities
7
� NIST SP 500-292 NIST Cloud Computing Reference Architecture
2.4 Cloud Auditor
A cloud auditor is a party that can perform an independent examination of cloud service controls with the
intent to express an opinion thereon. Audits are performed to verify conformance to standards through
review of objective evidence. A cloud auditor can evaluate the services provided by a cloud provider in
terms of security controls, privacy impact, performance, etc.
enabling third parties to assess by Vivek Kundra, Federal Cloud
Computing Strategy, Feb. 2011.). Security controls [3] are the management, operational, and technical
safeguards or countermeasures employed within an organizational information system to protect the
confidentiality, integrity, and availability of the system and its information. For security auditing, a cloud
auditor can make an assessment of the security controls in the information system to determine the extent
to which the controls are implemented correctly, operating as intended, and producing the desired
outcome with respect to the security requirements for the system. The security auditing should also
include the verification of the compliance with regulation and security policy. For example, an auditor
can be tasked with ensuring that the correct policies are applied to data retention according to relevant
rules for the jurisdiction. The auditor may ensure that fixed content has not been modified and that the
legal and business data archival requirements have been satisfied.
A privacy impact audit can help Federal agencies comply with applicable privacy laws and regulations
individu
2.5 Cloud Broker
As cloud computing evolves, the integration of cloud services can be too complex for cloud consumers to
manage. A cloud consumer may request cloud services from a cloud broker, instead of contacting a cloud
provider directly. A cloud broker is an entity that manages the use, performance and delivery of cloud
services and negotiates relationships between cloud providers and cloud consumers.
In general, a cloud broker can provide services in three categories [9]:
Service Intermediation: A cloud broker enhances a given service by improving some specific
capability and providing value-added services to cloud consumers. The improvement can be
managing access to cloud services, identity management, performance reporting, enhanced
security, etc.
Service Aggregation: A cloud broker combines and integrates multiple services into one or more
new services. The broker provides data integration and ensures the secure data movement
between the cloud consumer and multiple cloud providers.
Service Arbitrage: Service arbitrage is similar to service aggregation except that the services
being aggregated are not fixed. Service arbitrage means a broker has the flexibility to choose
services from multiple agencies. The cloud broker, for example, can use a credit-scoring service
to measure and select an agency with the best score.
2.6 Cloud Carrier
A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between
cloud consumers and cloud providers. Cloud carriers provide access to consumers through network,
telecommunication and other access devices. For example, cloud consumers can obtain cloud services
8
� NIST SP 500-292 NIST Cloud Computing Reference Architecture
through network access devices, such as computers, laptops, mobile phones, mobile Internet devices
(MIDs), etc [1]. The distribution of cloud services is normally provided by network and
telecommunication carriers or a transport agent [8], where a transport agent refers to a business
organization that provides physical transport of storage media such as high-capacity hard drives. Note that
a cloud provider will set up SLAs with a cloud carrier to provide services consistent with the level of
SLAs offered to cloud consumers, and may require the cloud carrier to provide dedicated and secure
connections between cloud consumers and cloud providers.
2.7 Scope of Control between Provider and Consumer
The Cloud Provider and Cloud Consumer share the control of resources in a cloud system. As illustrated
in Figure 8, resources and
thus what can be done in a cloud system. The figure shows these differences using a classic software
stack notation comprised of the application, middleware, and OS layers. This analysis of delineation of
controls over the application stack helps understand the responsibilities of parties involved in managing
the cloud application.
Figure 8: Scope of Controls between Provider and Consumer
The application layer includes software applications targeted at end users or programs. The
applications are used by SaaS consumers, or installed/managed/ maintained by PaaS consumers,
IaaS consumers, and SaaS providers.
The middleware layer provides software building blocks (e.g., libraries, database, and Java virtual
machine) for developing application software in the cloud. The middleware is used by PaaS
consumers, installed/managed/maintained by IaaS consumers or PaaS providers, and hidden from
SaaS consumers.
The OS layer includes operating system and drivers, and is hidden from SaaS consumers and
PaaS consumers. An IaaS cloud allows one or multiple guest OS to run virtualized on a single
physical host. Generally, consumers have broad freedom to choose which OS to be hosted among
be supported by the cloud provider. The IaaS consumers should assume
full responsibility for the guest s, while the IaaS provider controls the host OS.
